Coordinated Disclosure Timeline

Summary

Appsmith is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.

Project

Appsmith

Tested Version

Latest changeset at the time of reporting.

Details

Code injection in ci-test-limited.yml (GHSL-2024-277)

The ci-test-limited.yml is a reusable workflow, i.e. it can be triggered from other workflows on workflow_call. In the Set Commit Message step a potentially untrusted commit message, if defined, is used in a bash script in unsafe manner by using ${{ env. interpolation:

      - name: Set Commit Message
        env:
          EVENT_COMMITS: ${{ toJson(github.event.commits[0].message) }}
        run: |
          if [[ ${{ inputs.pr }} -ne 0 && ${{github.event_name}} == 'repository_dispatch' ]]; then
            echo "COMMIT_INFO_MESSAGE=${{ env.COMMIT_INFO_MESSAGE }}" >> $GITHUB_ENV
          elif [[ ${{ inputs.pr }} -ne 0 && ${{github.event_name}} == 'workflow_dispatch' ]]; then
            echo "COMMIT_INFO_MESSAGE=Workflow run on PR# ${{ inputs.pr }}" >> $GITHUB_ENV
          else
            if [[ '${{env.EVENT_COMMITS}}' == 'null' ]]; then
              echo "COMMIT_INFO_MESSAGE=${{ github.event_name }} by ${{ env.COMMIT_INFO_AUTHOR }}" >> $GITHUB_ENV
            else
              echo "COMMIT_INFO_MESSAGE=$(echo \"${{ env.EVENT_COMMITS }}\" | awk -F '\\\\n' '{print $1}' | sed 's/^\"//')" >> $GITHUB_ENV
            fi
          fi

The first unsafe usage is on line if [[ '${{env.EVENT_COMMITS}}' == 'null' ]]; then and the second one on echo "COMMIT_INFO_MESSAGE=$(echo \"${{ env.EVENT_COMMITS }}\" .... A malicious commit would be able to inject a bash command in the script. For example ' == '' || 1 ]]; then id # would execute id command.

Impact

The attacker would be able to steal DOCKER_HUB_USERNAME, DOCKER_HUB_ACCESS_TOKEN and multiple CYPRESS_* secrets and get full write permissions to the repository:

GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

Resources

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-277 in any communication regarding this issue.